Authentication and Key Agreement Via Memorable Password

Home , IEEE P1363

Authentication and Key Agreement via Memorable Password

Taekyoung Kwon

University of California, Berkeley

[email protected] or [email protected]

Up dated on August 20, 2000

Preliminary Version 2.51 since May 1, 2000

Abstract

This pap er presents a new password authentication and key agreement proto col, AMP,

based on the ampli ed password idea. The intrinsic problems with password authentica-

tion are the password itself has lowentropy and the password le is very hard to protect.

Wepresent the ampli ed password pro of and the ampli ed password le for solving these

problems. A party commits the high entropy information and ampli es her password

with that information in the amplifed password pro of. She never shows any informa-

tion except that she knows it. Our ampli ed password pro of idea is very similar to the

zero-knowledge pro of in that sense. We adds one more idea; the ampli ed password

le for password le protection. Aserver stores the ampli ed veri ers in the ampli ed

password le that is secure against a server le compromise and a dictionary attack.

AMP mainly provides the password-veri er based authentication and the Die-Hellman

based key agreement, securely and eciently. AMP is easy to generalize in any other

cyclic groups. In spite of those plentiful prop erties, AMP is actually the most ecient

proto col among the related proto cols due to the simultaneous multiple exp onentiation

i n n+ + ++ c

metho d. Several variants such as AMP ,AMP ,AMP , AMP ,AMP , and AMP

are also prop osed. Among them, AMP is actually the basic proto col of this pap er that

describ es the ampli ed password pro of idea while AMP is the most complete proto col

that adds the ampli ed password le. AMP simply removes the ampli ed password le

from AMP.Intheend,we give a comparison to the related proto cols in terms of eciency.

This manuscript is a preliminary version of our pap er available from the IACR eprint

archive, http://eprint.iacr.org/2000/026. The proto cols describ ed in this pap er were

submitted as a contribution to the IEEE P1363 study group for future PKC standards,

Ultimate Solution to Authentication via Memorable Password[23 ]. It is available from the

website, http://grouper.ieee.org/groups/1363/StudyGroup/Passwd.html#amp.

Keywords: Authentication, key agreement, password guessing, password veri er, public-

key cryptography, discrete logarithm problem, Die-Hellman problem, ampli ed pass-

word pro of, ampli ed password le. 1

1 Intro duction

Entity authentication is one of the most imp ortant security functions. It is necessary for

verifying the identities of the communicating parties when they initiate their connection.

This function is usually provided in combination with a key establishment scheme such as

key transp ort or key agreement between the parties. For user authentication, three kinds

of approaches exist; knowledge-based authentication, token-based authentication,andbiometric

authentication. Among them, the knowledge-based scheme is for human memory ( mind).

Actually, it is the most widely-used metho d due to such advantages as simplicity,convenience,

adaptability, mobility, and less hardware requirement. It requires users only to remember

and typ e in their knowledge such as a password or PIN(p ersonal identi cation number).

Therefore, users are allowed to move conveniently without carrying hardware tokens. How-

ever, a complex problem with this password-only authentication is that a human-memorable

password has lowentropy so that it could b e vulnerable to malicious guessing attacks. The

problem b ecomes much more critical in an op en distributed environment. Moreover, pass-

word le protection is another problem that makes password authentication more unreliable.

If a password le is compromised, at least it is vulnerable to dictionary attacks. A cryp-

tographic proto col based on public-key cryptography is the most promising solution to this

problem.

Password Protocols. Since the rst scheme, LGSN[25 ], was intro duced in 1989, many

proto cols have followed it. Among them, EKE[7] was a great landmark of certi cate-free

proto cols. One variant of EKE, DH-EKE[7 ], intro duced the password authentication and

key agreement, and was \enhanced" to A-EKE[8 ] that was the rst veri er-based proto col to

resist a password- le compromise and to accommo date salt while there was an earlier work

describing the use of salt[38 ]. GLNS[15 ] was enhanced from LGSN. Due to the ineciency and

constraints of older schemes, various mo di cations and improvements have followed. They

include TH[37 ], AL[1 ], M-EKE[36 ], Gong[16 ], KS[21], SPEKE[18, 19 ], S3P[34 ], SRP[39 ],

HK[17 ], and GXY[22 ]. However, some of them have been broken and some are still b eing

cryptanalyzed[2 , 13 , 31 , 9 ]; most were inadequate for the security pro of due to ad-ho c meth-

o ds of protecting the password. In the mean time, OKE[26 ] intro duced a provable approach

and was followed by several great work such as SNAPI[27 ], EKE2[5], AuthA[6], and PAK[10 ].

They show the provable approach in this area is getting matured.

Among the password proto cols, A-EKE, B-SPEKE, SRP, GXY, SNAPI-X, AuthA, and

PAK-X are classi ed as password-veri er based proto cols[8 , 19 , 39 , 22 , 27 , 6, 10 ]. They allow

the asymmetric mo del in which a client p ossesses a password, while a server stores its veri er

rather than the password. Following A-EKE[8 ], B-SPEKE was augmented from SPEKE[18,

Readers are referred to Figure 8 attached in App endix of this do cument. Jablon's work[18 ] is recommended

as the b est tutorial for the password proto col study while Wu's work[39 ] is the b est for the veri er proto col

study. Bellare and Rogaway's work[3 ] is the fundamental of the provable approach. 2

19 ]. SRP showed ecientwork on a veri er and GXY was derived from SRP[39, 22]. SNAPI-

X was augmented from SNAPI while PAK-X was enhanced from PAK[27 , 10 ]. AuthA was

derived from several previous proto cols but strongly studies a provable approach[6 ]. How-

ever, even the veri er-based proto cols still allow dictionary attacks and server imp ersonation

attacks if a server le is compromised. Currently, standardization work on this eld is b eing

considered in IEEE P1363 group.

Contribution. Our goal is to design a new proto col in a provable manner, which com-

bines the following functions securely and eciently.

Password(-veri er) based authentication[8 ]

Die-Hellman based key agreement[12 ]

Easy generalization[28 ]

Password le protection

For achieving the goal, we prop ose two simple ideas called the ampli ed password pro of that

makes a user amplify her password and prove to know the ampli ed password, and the

ampli ed password le that makes a server store the ampli ed veri er for resisting a server le

compromise and a dictionary attack. From the p ointofview,we name our proto col AMP that

stands for Authentication and key agreement via Memorable Password. Regarding several

i n

functional issues, we also present ma jor variants of AMP. They are called AMP , AMP ,

n+ + ++ c

AMP , AMP , AMP , and AMP . Among them, AMP is actually the basic proto col

of this pap er that describ es the ampli ed password pro of idea though it is designed for

a symmetric setup. Several minor variants also can be considered but they are explained

implicitly. We compare the eciency of all veri er-based proto cols. Actually, AMP is the

most ecient proto cols among the existing veri er-based proto cols. Note that AMP will b e

designed to avoid explicit encryption/decryption at least for authentication and veri cation

though it will provide a key agreement function.

2 AMP Proto col Design

2.1 Preliminaries

AMP is typically the twoparty case so that we use Al ice and Bob for describing a clientand

a server, resp ectively. Eve indicates an adversary whether she is passive or active. and

denotes password and salt, resp ectively. = means a comparison of two terms, for example,

= . Let f0; 1g denote the set of nite binary strings and f0; 1g the set of in nite ones.

implies the empty string. k is our securityparameter long enough to prevent brute-forcing

2 1

l (k )

while l (k ) 2k , ! (k ) k , and t(k ) k . h() : f0; 1g !f0; 1g means a collision-free

3 3 3

one-way hash function. All hash functions are assumed to behave like random oracles for

security pro of[3]. Note we abbreviate a mo dular notation, mo d p, for convenience hereafter.

l (k )

Random Oracle. We assume random oracles h () : f0; 1g ! f0; 1g for i 2 [1; 5].

If Eve sends queries Q ; Q ; Q ; ::: to the random oracle h , she can receive answers h (Q ),

1 2 3 i i j

all indep endently random values, from the oracle. Let h() denote a real world hash function.

For practical recoveries of random oracles in the real world, we de ne; h (x) = h(00jxj00),

h (x)=h(01jxj01), h (x)=h(01jxj10), h (x)=h(10jxj10) and h (x)=h(11jxj11) by follow-

2 3 4 5

ing the constructions given in the Bellare and Rogaway's work[3 ]. j denotes the concatenation.

Numerical Assumption. Security of AMP is based on two familiar hard problems which

are b elieved infeasible to solve in p olynomial time. One is Discrete Logarithm Problem;given

a prime p, a generator g of a multiplicative group Z , and an element g 2 Z , nd the

p p

integer x 2 [0;p 2]. The other is Die-Hellman Problem; given a prime p, a generator g

x y xy

of a multiplicative group Z , and elements g 2 Z and g 2 Z , nd g 2 Z . These

p p p p

two problems hold their prop erties in a prime-order subgroup[30, 28 ]. We assume that all

numerical op erations of the proto col are on the cyclic group where it is hard to solve these

problems. We consider the multiplicativegroup Z and actually use its prime-order subgroup

Z . We should use its main op eration, a mo dular multiplication, for easy generalization. For

the purp ose, Bob cho oses g that generates a prime-order subgroup Z where p = qr +1. Note

that a prime q must be suciently large (> l (k )) to resist Pohlig-Hellman decomp osition

and various index-calculus metho ds but can b e much smaller than p[30 , 32 , 33 ]. It is easy to

(p1)=q

. Z is preferred for eciency and for preventing make g by where generates Z

a small subgroup con nement more e ectively. By con ning all exp onentiation to the large

prime-order subgroup through g of Z , each party of the proto col is able to detect on-line

attack whenever a received exp onential is con ned to a small subgroup. We can use a secure

prime mo dulus p suchthat(p 1)=2q is also prime or each prime factor of (p 1)=2q is larger

than q ,orasafe prime mo dulus p such that p =2q + 1[24 ]. We strongly recommend to use a

secure prime mo dulus b ecause it allows much smaller q , e.g., closely down to l (k ).

2.2 Our Idea

Our idea is to \amplify" the lowentropy of password (1) on the well-structured cryptographic

proto col, i.e., on the secure interaction b etween communicating parties, and (2) in the well-

structured password le, b oth for securing password authentication and password le.

Definitions. Firstly we give some useful de nitions followed by our detailed idea.

De nition 1 A Password Proof de nes; a party A who knows a low entropy secret cal led a

password makes a counterpart Bconvinced that Aiswho knows the password. 4

We can consider two kinds of setup such as a symmetric setup and an asymmetric setup.

The asymmetric setup could b ene t from salt for overcoming the text-equivalence of the

symmetric setup. The password pro of is actually comp osed of two kinds of pro of.

De nition 2 ASecure PasswordProof de nes; a party A successful ly performs the Password

Proof without revealing any information about the password itself.

De nition 3 An Insecure PasswordProof de nes; a party A successful ly performs the Pass-

word Proof but fails the Secure Password Proof, or aparty Asuccessful ly performs the Pass-

word Proof by showing some or al l information about the password.

The insecure pro of can b e classi ed into the fully insecure password pro of suchasPAP(password

only), the partially insecure password pro of such as CHAP(challenge and handshake), and

the cryptographically insecure password pro of such as some cryptographic proto cols.

De nition 4 An Ampli ed Password Proof de nes; a party A who knows a password am-

pli es the password and makes a counterpart B convinced that A is who knows the ampli ed

password.

The Amplification. Our ampli cation idea is very simple, for example, Al ice insists on her

knowledge of password by giving x + mo d q rather than only, while x is the randomly-

chosen high entropy information. For the purp ose, fresh x must be securely committed by

Al ice prior to her pro of of each session. (x + is not guessable at all whereas is guessable,

if x is kept secret.)

De nition 5 The Ampli ed Password $ de nes a value that only who knows and x can

make from A( ; x) where x is chosen randomly at Z and is a human-memorable password

for an arbitrary ampli cation function A(). (Note: $ is rather ephemeral.)

We con gure this idea as an ampli ed password pro of.

The Amplified Password Proof. Assume that Al ice knows while Bob knows g .

The pro cedure of the ampli ed password pro of is comp osed of basically three steps such as

initial commitment, challenge, and resp onse; the initial commitment step performs a secure

commitment of x having high entropy by Al ice; the challenge step p erforms a random chal-

lenge of y by Bob;theresp onse step p erforms a knowledge pro of of Al ice ab out the ampli ed

password $ . We de ne three functions for each step; they are G () for initial commitment,

G () for challenge, and H () for resp onse.

De nition 6 The Ampli ed Password Proof performs; Al ice who knows her password ,

randomly chooses and commits the high-entropy information x to Bob. Bob who knows g ,

picks y at random and asks Al ice if she knows the password and the committed information.

Al ice responds with the fact she knows the ampli ed password $ . 5

Alice Bob

G (x)

initial commitment !

G (y )

chal l eng e

H($ )

r esponse !

For secure commitment, G () should not reveal x even to Bob, for example, g . While G ()

1 2

transmits a fresh challenge, H () should imply the fact only that Al ice knows $ without

revealing any information ab out x and . If wesetA( ; x)=(x + ) mo d q , then only who

(x+ )y

knows x and can compute $ . So wesetG () = g for making veri cation information,

(x+ )y $ y x y

i.e., (g ) = g . Bob who knows G () as well as g , can make G () by (g g ) . As a

1 2

y y

result, b oth parties can get g , the veri cation information, so we set H () = g . Of course,

they can also make g due to the Die-Hellman scheme. Therefore, we can derive the

following theorem that is easy to prove by assuming x is randomly chosen at Z . (hint : $

x (x+ )y y

is not derivable from g , g , g and even g . as well as x are necessary for computing

A( ; x).)

Theorem 1 The Ampli ed Password Proof is a Secure Password Proof.

This means Al ice never shows the password itself for her pro of, rather she proves the fact of

knowing it. The ampli ed password pro of idea is very similar to the zero-knowledge pro of

in that sense, but g must b e kept secure b ecause it is actually vulnerable to guessing attacks.

The Amplification and Key Exchange. It is easy to add key exchange to the ampli ed

password pro of b ecause we already utilized the Die-Hellman scheme. For key exchange,

Al ice can derive a session key from g and showthefact of agreeing on it. Bob is also able

to do the same thing. A strong one-way hash function must be the best to ol for this. For

xy 1

Al ice to agree on g , we set $ = (x + ) x mo d q . For mutual key con rmation as well

as mutual authentication, however, the proto col must be con gured by four steps to add

Bob's resp onse. The following describ es the basic version. Note that the cases, x 2f0; 1g ,

1 1 1

y 2 f0; 1g , G 2 f0; 1g , G 2 f0; 1g , and their small subgroup con nements must be

1 2

avoided for a security reason.

Alice(id; ) Bob(id; g or )

x 2 Z

R q

id;g

G = g !

fetch (id; )

y 2 Z

R q

(x+ )y

1 y y y

$ =(x + ) x mo d q G =(G g ) or (G ) g

2 1 1

$ y

=(G ) =(G )

2 1 6

K = h ( ) K = h ( )

1 1 2 1

h(G ;K )

1 1

H = h (G ; K ) ! H = h (G ; K )

11 2 1 1 12 2 1 2

verif y H = H

11 12

h(G ;K )

2 2

H = h (G ; K ) H = h (G ; K )

21 3 2 1 22 3 2 2

verif y H = H

21 22

Figure 1: AMP Proto col

Both parties compute exp onentials as like the Die-Hellman scheme. The di erence is that

the random exp onentof and the base of G are tactfully transformed. We call this proto col

AMP (AMP-naked) b ecause the proto col is actually vulnerable to client imp ersonations as

well as server imp ersonations and dictionary attacks if a password le is compromised. Bob

can store rather than g and for this case G b ene ts from the simultaneous multiple exp o-

nentiation metho d in terms of eciency[28 , 35 ]. Ab ove all, g must be kept secure b ecause

it is actually vulnerable to guessing attacks. So we prop ose an ampli ed password le idea

for improving the security of the password le.

The Amplified Password File. As for the password le, an asymmetric setup is preferred

b ecause of the weakness of text-equivalence in a symmetric setup[8, 19 , 39 ]. If a password le

is compromised, it can be used directly for a client imp ersonation in the symmetric setup.

However, the low entropy of password makes the password le vulnerable to dictionary at-

tacks and server imp ersonation attacks even if each password is hashed or exp onentiated in

the asymmetric setup. For example, a veri er such as = h( ) is vulnerable to guessing

attacks and sever imp ersonation attacks. For the password le protection, encryption can b e

considered but the key management and p erformance issue must b e overcome. The ampli ed

password le is a password le of which a record includes an ampli ed veri er.

De nition 7 The Ampli ed Veri er de nes a value that only who knows & and can use

for password veri cation where & is chosen randomly at Z and is is chosen randomly at

k (& + ) 1

f0; 1g . Set = g where = h(id; ). If (& + ) =1, is not the ampli ed veri er.

(Note: is semi-permanent.)

A record of the ampli ed password le is (id; ; ). The ampli ed password le is stored in an

ordinary server system while & must be stored in and supplied from a secure storage device

such as a smart card. Ideally, & should not leave such a secure device but a b ottleneck may

b e a problem with a p o or-p erformance device. Otherwise, we can devise a sp ecial hardware

device for p erforming & related op erations with higher p erformance but practically & maybe

loaded to the server's memory. However, even if & resides in the server's run-time memory,

the memory dump and its analysis are necessary for launching a server imp ersonation attack

or a dictionary attack with the compromised password le. That is, the ampli ed password

le itself is secure against suchattacks if & is secure; even if not, an adversary cannot directly 7

imp ersonate a server or launch dictionary attacks without memory dump. AMP will b e the

proto col that enables the ampli ed password ideas and the key agreement. The following

subsection describ es AMP.

2.3 Complete Proto col Description

Weset$ =(x + ) (x + e) where = h (id; ) and e = h (G ; G ; id; Al ice; B ob).

1 2 1 2

Protocol Setup. This step determines and publishes global parameters of AMP.

1. Al ice and Bob share g , p and q . id indicates precisely a user name (id) while Al ice and

Bob mean rather addresses.

! (k )

2. Al ice cho oses 2 f0; 1g and notify Bob, in an authentic and con dential manner

(secure registration, o -line distribution with picture id pro of ).

k (& + )

3. Bob cho oses 2 f0; 1g and stores (id; ; = g ) where = h (id; ). Bob

R 1

should throwaway and .

1 1 1 1

Protocol Run. Note that the cases, x 2f0; 1g , y 2f0; 1g , G 2f0; 1g , G 2f0; 1g ,

1 2

2f0; 1g , and their small subgroup con nements mustbeavoided for a securityreason.

Alice (id; ) Bob (id; ; )

x 2 Z

R q

id;g

! G = g

f etch (id; ; )

= h (id; ) y 2 Z

1 R q

(x+ )y

y (& + )y y 1

G =(G ) =(G g ) =(x + ) mo d q

2 1 1

e = h (G ; G ; id; Al ice; B ob) e = h (G ; G ; id; Al ice; B ob)

2 1 2 2 1 2

$ = (x + e)modq

$ y ey e y

=(G ) =(G ) g =(G g )

2 1 1

K = h ( ) K = h ( )

1 3 2 3

h(G ;K )

1 1

H = h (G ; K ) ! H = h (G ; K )

11 4 1 1 12 4 1 2

verif y H = H

11 12

h(G ;K )

2 2

H = h (G ; K ) H = h (G ; K )

21 5 2 1 22 5 2 2

= H verif y H

22 21

Figure 2: AMP Proto col

The following steps explain how the proto col is executed in Figure 2. 8

1. Al ice computes G = g bycho osing x 2 Z and sends (id; G )toBob.

1 R q 1

y (& + )y

2. After receiving message 1, Bob loads and , and computes G = (G ) by

2 1

cho osing y 2 Z . This can be done by the simultaneous multiple exp onentiation

R q

y (& + )y x y

metho d. Note that G =(G ) =(g g ) . He sends G to Al ice.

2 1 2

3. While waiting for message 2, Al ice computes = h (id; ) and =(x + ) mo d q .

After receiving message 2, Al ice computes e = h (G ; G ; id; Al ice; B ob), $ = (x +

2 1 2

$ (x+ )y $ y (x+e)

e)mod q and = (G ) . Note that = (g ) = g . She computes K =

2 1

h ( ) and H = h (G ; K ). She sends Bob H .

3 11 4 1 1 11

y ey

4. While waiting for message 3, Bob computes e = h (G ; G ; id; Al ice; B ob), =(G ) g =

2 1 2 1

x e y (x+e)y

(g g ) = g , K = h ( ) and H = h (G ; K ). After receiving message 3, Bob

2 3 12 4 1 2

compares H with H . If they are matched, he computes H = h (G ; K ) and sends

12 11 22 5 2 2

Al ice H . This means he authenticated Al ice who knows $ (actually and thus

since x is secure from g ), and agreed up on K (= K = K ).

1 2

5. While waiting for message 4 from Bob, Al ice computes H = h (G ; K ). After receiv-

21 5 2 1

ing message 4, she compares H with H . If they are matched, Al ice also agrees on

21 22

K (= K = K )withauthenticating Bob who knows .

1 2

(x+e)y

Small Discussion. AMP passes four messages b etween Al ice and Bob who agree on g

n xy

while AMP agreed on g . The password le compromise still needs memory dump and

its analysis for getting & . The existence of e is explicit against a compromise of both. For

(& + )x x y

example, if Eve sends to Bob, then Bob will resp ond with (g g ) and compute

x e y (x+e)y xy

= (g g ) = g . If e do es not exist, will be equal to g so that it will be

(x+1) x

computable by G . Due to the existence of e, Eve cannot compute from , x, e

(x+1)

). That is, she cannot falsely convince Bob that she is Al ice even with and g (= G

the password le and & . Here, we should note that the statistical di erence b etween G and

(= ) is only dep endent up on the di erence between and e. If AB S ( e) = 0, they

must b e exactly same to each other though its probability is extremely low. Such a case can

: :

be detected easily by both parties, for example, = G and = G . Note that and e is

2 2

unchangeable and untraceable in G and (= ) actually without knowing either x or y (see

Lemma 1 in App endix). We can make h () and h () have far di erence for and e. In this

1 2

point, we could set q larger than h () where h () should b e at least k larger than h (). For

2 2 1

example, we de ne h (x)=h(01jxj01)h(10jxj01 ) while h (x)=h(00jxj00) by recommending

2 1

SHA-1 or RIPEMD-160 for 160-bit hash. Otherwise, there are several variants removing

n + ++

suchapoint, for example, AMP , AMP ,andAMP . Final two steps can b e mo di ed, for

example, H = h ( ; G ; G ; id; A; B ) and H = h ( ; G ; G ;B;A;id). We can cho ose salt

11 4 1 2 22 5 2 1

implicitly by computing f (id; B ) where f () is an implicit salt function[6, 10 ], for example, 9

= h (id; f (id; B );). For up dating the existing system such as Unix, we can mo dify such

0 0 0

that = h( ;) and sends in message 2 where h( ;) is an existing veri er.

3 AMP Proto col Variants

i n+ +

We present ve explicit variants of AMP and AMP . They are AMP , AMP , AMP ,

++ c i

AMP , and AMP . Among them, AMP excludes the use of the ampli ed password le

while AMP loses the zero-knowledge prop erty for enabling veri er-based authentication to

+ ++

AMP . AMP and AMP are extended for p erturbing the structural similaritybetween G

and (= ) in AMP. Every AMP provides one-way authentication in three steps. Finally,

AMP is a crippled version of AMP family for one-way authentication in two steps.

3.1 AMP

AMP excludes the ampli ed password le from AMP. The di erence of proto col setup is that

Bob stores (id; ; = g ) where = h (; ). Of course, salt can b e obtained implicitly. The

di erence in proto col run is that Al ice computes the inverse of the ampli ed password, after

receiving message G . AMP slightly reduces the running time ab out G but loses the strong

2 2

security against a password le compromise. That is, if the password le is compromised,

Eve is able to directly imp ersonate a server or launch dictionary attacks in AMP while it

was much more dicult in AMP.Weset$ =(x + ) (x + e)modq .

1 1 1 1

Protocol Run. Note that the cases, x 2f0; 1g , y 2f0; 1g , G 2f0; 1g , G 2f0; 1g ,

1 2

2f0; 1g , and their small subgroup con nements mustbeavoided for a securityreason.

Alice(id; ) Bob(id; ; )

x 2 Z

R q

id;g

! G = g

fetch (id; ; )

y 2 Z

R q

(x+ )y

G =(G )

2 1

e = h (G ; G ; id; Al ice; B ob) e = h (G ; G ; id; Al ice; B ob)

2 1 2 2 1 2

= h (; )

$ =(x + ) (x + e)modq

$ y ey e y

=(G ) =(G ) g =(G g )

2 1 1

K = h ( ) K = h ( )

1 3 2 3

h(G ;K )

1 1

H = h (G ; K ) ! H = h (G ; K )

11 4 1 1 12 4 1 2

verif y H = H

11 12 10

h(G ;K )

2 2

H = h (G ; K ) H = h (G ; K )

21 5 2 1 22 5 2 2

verif y H = H

21 22

Figure 3: AMP Proto col

3.2 AMP

n n

AMP was totally vulnerable to the password le compromise. However, we can extend AMP

for veri er-based authentication in the asymmetric setup mo del. Comapred to AMP,thisex-

tension is prop osed for eciency and \easy deployment" at the cost of security. AMP

actually loses the zero-knowledge prop erty, that is, Bob is always able to read in a proto col

run. The main di erence of proto col setup is that = h (; ) where = h (id; ). Of

2 1

course, we can remove salt or use implicit salt; the following version explicitly uses salt. For

AMP , we de ne a function such that E (x; y ) = x + y mo d q and D (x; y ) = x y mo d q .

We can replace their op erations with a mo dular multiplication or a conventional encryption

function though the conventional encryption is not recommended. Weset(x + ) x mo d q .

1 1 1 1

Protocol Run. Note that the cases, x 2f0; 1g , y 2f0; 1g , G 2f0; 1g , G 2f0; 1g ,

1 2

and their small subgroup con nements must b e avoided for a security reason.

Alice(id; ) Bob (id; ; )

x 2 Z

R q

id;g

! G = g

fetch (id; ; )

= h (id; ) y 2 Z

1 R q

(x+ )y

;(g

y y

G =(G ) g

2 1

= h (; )

$ =(x + ) x mo d q

$ y

=(G ) =(G )

2 1

K = h ( ) K = h ( )

1 3 2 3

e = h (id; Al ice; B ob; K ; ) e = h (id; Al ice; B ob; K ; )

4 1 4 2

E (e; )

H = E (e; ) !

verif y = h (; D (H ;e))

2 11

h(G ;K )

2 2

H = h (G ; K ) H = h (G ; K )

21 5 2 1 22 5 2 2

verif y H = H

21 22

Figure 4: AMP Proto col

e is applied to H for recovering .

11 11

3.3 AMP

(x+ )y (x+e)y

AMP p erturbs the structural similarity between G = g and = = g . The

di erence in proto col setup is to set $ =(x + ) (x + e )modq . The main di erence in

proto col run is that b oth parties compute e such that e = h (G ; id; Al ice; B ob). We set

1 1 2 1

$ =(xe + ) (x + e )modq . The randomness of e is totally dep endent up on that of G

1 2 1 1

so that Bob cannot contribute to its randomness, while the randomness of e is dep endent

up on that of G as well as G .

2 1

1 1 1 1

Protocol Run. Note that the cases, x 2f0; 1g , y 2f0; 1g , G 2f0; 1g , G 2f0; 1g ,

1 2

2f0; 1g , and their small subgroup con nements mustbeavoided for a securityreason.

(id; ) Alice Bob (id; ; )

x 2 Z

R q

id;g

G = g !

fetch (id; ; )

= h (id; ) y 2 Z

1 R q

e = h (G ; id; Al ice; B ob) e = h (G ; id; Al ice; B ob)

1 2 1 1 2 1

(xe + )y

y 1 e y (& + )y

g ) =(xe + ) mo d q G =(G ) =(G

1 2 1

e = h (G ; G ; id; Al ice; B ob) e = h (G ; G ; id; Al ice; B ob)

2 3 1 2 2 3 1 2

$ = (x + e )modq

$ y e y

=(G ) =(G ) g

2 1

K = h ( ) K = h ( )

1 4 2 4

h(G ;K )

1 1

H = h (G ; K ) ! H = h (G ; K )

11 5 1 1 12 5 1 2

verif y H = H

11 12

h(G ;K )

2 2

H = h (G ; K ) H = h (G ; K )

21 6 2 1 22 6 2 2

verif y H = H

21 22

Figure 5: AMP Proto col

(xe + )y (x+e )y +

1 2

Note that G = g while = g . We should de ne h (x)=h(10jxj01) for AMP .

2 6

3.4 AMP

AMP is another form of p erturbing the structural similaritybetween G and (= ). The

(& + )

di erence in proto col setup is that Bob stores (id; = g ) where = h (id; f (id; B ob);).

Proto col run is di erent that Al ice cho oses two ephemeral parameters such as x and x .

1 2

, sends them to Bob who will resp ond with G . Al ice computes G = x + mo d q and G = g

2 0 1 1

1 1

Weset$ =(x ) (x + ex )modq so that Al ice computes = $ (x + ex )modq for

2 1 2 1 2 12

G y y ey (x +ex )y

0 1 2

getting . Bob gets by computing (g ) ( ) (G ) . Therefore, the agreed key is g

(x )y

while G = g .

Protocol Run. The following describ es how to run AMP . Note that the cases, x 2

1 1 1 1 1 1 1

f0; 1g , x 2f0; 1g , y 2f0; 1g , G 2f0; 1g , G 2f0; 1g , G 2f0; 1g , 2f0; 1g ,, and

2 0 1 2

their small subgroup con nements must b e avoided for a security reason.

Alice(id; ) Bob(id; )

x ;x 2 Z

1 2 R q

= h (id; f (id; B );)

G = x + mo d q

0 1

id; x +; g

! G = g

f etch (id; )

y 2 Z

R q

(x )y

y (& + )y y

G =(G ) =(G g )

2 1 1

e = h (G ; G ; G ; id; Al ice; B ob) e = h (G ; G ; G ; id; Al ice; B ob)

2 0 1 2 2 0 1 2

$ =(x ) (x + ex )modq

2 1 2

$ G y (& + )y ey

=(G ) = g (G )

2 1

K = h ( ) K = h ( )

1 3 2 3

h(G ;K )

1 1

H = h (G ; G ; K ) ! H = h (G ; G ; K )

11 4 0 1 1 12 4 0 1 2

= H verif y H

12 11

h(G ;K )

2 2

H = h (G ; K ) H = h (G ; K )

21 5 2 1 22 5 2 2

= H verif y H

22 21

Figure 6: AMP Proto col

3.5 AMP

AMP is a crippled version of AMP for allowing one-way authentication in a very restricted

environment where Bob is allowed only one random challenge and Al ice is allowed only

one resp onse to it. This proto col is inevitably vulnerable to a server imp ersonation attack.

However, our idea is that if a server is strongly wired, AMP may b e useful for strong authen-

tication even without encryption in two steps. For example, practically, by combining with

a digital signature scheme, AMP can b e a complete proto col like sf AMP only in two steps.

We de ne a signature function S () and a veri cation function V () for AMP . We assume

Al ice has a certi cate of Bob but it can b e sentto Al ice in step 1. The proto col setup is the

same to that of AMP.Weset$ = ye + mo d q where = h (id; ).

1 13

1 1 1 1

Protocol Run. Note that the cases, x 2f0; 1g , y 2f0; 1g , G 2f0; 1g , G 2f0; 1g ,

1 2

2f0; 1g , and their small subgroup con nements mustbeavoided for a securityreason.

Alice(id; ) Bob (id; )

x 2 Z

R q

G = g

G ;S

1 1

S = S (G )

1 1

verif y D (S )

y 2 Z

R q

G = g

e = h (G ; G ; id; Al ice; B ob)

2 1 2

= h (id; )

$ = ye + mo d q

=(G )

id;G ;H

2 1

H = h ( ) !

1 3

e = h (G ; G ; id; Al ice; B ob)

2 1 2

f etch (id; )

xe (& + )x

=(G )

H = h ( )

2 3

verif y H = H

1 2

Figure 7: AMP Proto col with Digtal Signature

The ab ove proto col is an implicit salt version of AMP but it is easy to get a symmetric setup

version by removing e where a server stores or . Of course, an explicit salt version must

need one more step for exchanging the assigned salt. AMP with digital signature scheme

must be useful for secure web login by assuming Al ice a signed active program such as a

signed Java Applet. Supp ose that Al ice is a signed Java Applet that can be downloaded

from a web server Bob; the signed applet is b eing widely used for preventing a hostile applet.

Then, our simple idea is emb edding an uncerti ed signature-veri cation key (a public key)

of Bob into Al ice b ecause Al ice is an active program signed by a certi cate authority. That

is, we don't need to verify Bob's veri cation key additionally. Otherwise, wecanremove the

digital signature of G by simply imb edding g in the singed Java Applet where c is a private

key of a server. 14

4 Analysis and Comparison

4.1 Security of AMP

App endix A (Lemma 1,2 and Theorem 2) may b e helpful for security discussion.

1. AMP provides p erfect forward secrecy via the Die-Hellman problem and the discrete

logarithm problem (Lemma 2-2). That is, even if (or ) is compromised, Eve cannot

nd old session keys b ecause she is not able to solve the hard problems.

2. Denning-Sacco attack is the case that Eve, who compromised an old session key, at-

tempts to nd or to make the oracle accept her[11 ]. For the purp ose, Eve has to

(x+e)y

solve the discrete logarithm problem even if g (= = ) is compromised. It is also

(x+e)y (x+ )y

infeasible to check the di erence b etween e and in g and g without solving

the discrete logarithm of g . Therefore, AMP is secure against this attack (Lemma 2-1).

3. Replay attack is negligible b ecause G should include an ephemeral parameter of Al ice

while the others suchasG , H and H , should include ephemeral parameters of b oth

2 1 2

parties of the session (Theorem 2-2,5). Finding those parameters corresp onds to solv-

l (k ) k

ing the discrete logarithm problem and each parameter is b ounded by 2 < 2 .

Therefore, b oth activereplay and succeeding veri cation are negligible.

4. Small subgroup con nement is defeated and avoided by con ning to the large prime-order

subgroup. An intentional small subgroup con nement can b e detected easily.

5. On-line guessing attack is detectable and the following o -line analysis can b e frustrated,

even if Eve attempts to disguise parties (Lemma 1, Theorem 2). Actually, Eve is able

to p erform the on-line attack to either party but its failure is countable. Imp ersonation

of the partyorman-in-the-middle attack is also infeasible without knowing or .

6. O -line guessing attack is also infeasible b ecause Eve cannot disintegrate G (Lemma 1,

Theorem 2). Partition attack is to reduce the set of passwords logarithmically by asking

the oracle in parallel with o -line analysis, while chosen exp onent attack is to analyze

it via her chosen exp onent. Both attacks are infeasible because Eve cannot solve or

0 0

reduce y =(x + )y (x + ) mo d q for guessed passwords without knowing b oth x

and y .

7. Security against password- le compromise is the basic prop erty of AMP family except

n + ++

AMP that has a naked assumption (Lemma 1-2). Additionally, AMP, AMP , AMP ,

and AMP provides the stronger security against the password le compromise by using

& without degrading the p erformance notably; they make such an attack much more

dicult. That is, the password le compromise do es not allow dictionary attacks and

server imp ersonations. Even if & is compromised, a dictionary attack is still necessary

to imp ersonate a client. 15

4.2 Eciency and Constraints

Efficiency. We examine the eciency of AMP and compare it with other related proto cols.

1. In the asp ect of a communication load, AMP has only four proto col steps while the

numb er of large message blo cks is only twoinAMP. They are G and G . For AMP ,

1 2

the size of G can b e b ounded by l (k )+ with negligible when we use a secure prime.

2. A total amount of execution time could be approximated by the number of mo dular

exp onentiation by considering the parallel execution of b oth parties. We describ e it as

E (Al ice : Bob). Note that AMP has intrinsically only 3E , except that AMP has 4E

x y (& + )y $ ey

with explicit salt. AMP has E (g : ), E ( :(G ) ) and E (G : G g ) while all

variants have similar op erations. Here '' means no-mo dular-exp onentiation such as

O ((log n) ). Note that AMP op erations should b ene t from the simultaneous multiple

e e

1 2

exp onentiation metho d for eciency[35 , 28]. As for g g ,we don't need to compute

1 2

e e

1 2

g and g separately. A simple description of the simultaneous metho d is as follows;

1 2

(a) t = length(e); // length of exponent : blog qc + 1

(b) g = g g mod p; // precomputation

x 1 2

1 2 x

(d) A = 1;

(e) set() ffor(i=1;i<=t;i++) fB = ExponentArray(i);gg

(f ) for(i=1;i<=t;i++) fA = A*A mod p; A=A*G[B ] mod p;g

(g) return(A);

e e e e e

3 2 1 2 1

needs 25% more multi-precision multi- g g needs 16% and g g Note that g

3 2 1 2 1

plications than g do es on the average[35 , 28 ].

3. Each party of AMP p erforms only two exp onentiations, resp ectively, regarding the

eciency of the simultaneous multiple exp onentiation. It is the same to the number

in the Die-Hellman scheme though AMP needs more op erations for larger base, Z

op eration or simultaneous exp onentiation.

4. For run time parameters, each party generates only one random numb er, resp ectively,

in AMP family except for AMP . Al ice can reduce her run time exp onentiations to

only once and parallel exp onentiations to only twice, by pre-computation of g . AMP

needs Al ice to generate tworandomnumb ers.

5. In step 3, Al ice should compute (x + ) but only in the q -order subgroup. Mo dular

2 3

inversion, O ((log q ) ), is much less exp ensive than mo dular exp onentiation, O ((log p) ).

Moreover, the size of q can b e b ounded byonlyl (k )+ with negligible by virtue of a

secure prime. Note that O (log l (k )) << O (log p). Therefore, it is quite negligible when

we consider mo dular exp onentiation. 16

Protocol Large Exponentiations Random Numbers

Steps Blocks Client Server Paral lel Client Server

A-EKE 7(+4) 3 (+1) 4(+2) 4(+2) 6(+3) 1 (+0) 1 (+0)

B-SPEKE 4(+1) 3 (+1) 3(+1) 4(+2) 6(+3) 1 (+0) 2 (+1)

SRP 4(+1) 2 (+0) 3(+1) 3(+1) 4(+1) 1 (+0) 1 (+0)

GXY 4(+1) 2 (+0) 4(+2) 3(+1) 5(+2) 1 (+0) 1 (+0)

SNAPI-X 5(+2) 5 (+3) 5(+3) 4(+2) 7(+4) 2 (+1) 3 (+2)

AuthA 5 (+2) / 3 (+0) 2 (+0) 4(+2) 3(+1) 6(+3) 1 (+0) 1 (+0)

PAK-X 5 (+2) / 3 (+0) 3 (+1) 4(+2) 4(+2) 8(+5) 1 (+0) 2 (+1)

AMP 4(+1) 2 (+0) 2 (+0) 2 (+0) 3 (+0) 1 (+0) 1 (+0)

Table 1: Comparisons of Veri er-based Proto cols

6. AMP uses the main group op eration so that it is easy-to-generalize in any cyclic groups.

Therefore, AMP can b e easily implemented on the elliptic curve group. A generalization

on such a group must be very useful for further eciency of space and sp eed, though

there may b e a patent restriction on the elliptic curve algorithms.

Eciency can b e compared to the other related proto cols suchasA-EKE, B-SPEKE, SRP,

GXY, SNAPI-X, AuthA and PAK-X[8 , 19 , 39 , 22 , 27 , 6, 10 ]. Table 1 compares them with

regard to several factors such as the number of proto col steps, large message blo cks, and

exp onentiations. Note that the numb er of exp onentiations of AMP is approximated; actually

2.32 for a server and 3.32 for parallel on the average. Note that AuthA and PAK-X have

ve steps with explicit salt and three steps with implicit salt. We consider ve as their steps

resp ectively b ecause other proto cols are the cases that use explicit salt. The use of explicit

salt do es not a ect any other parameters of AuthA and PAK-X except the numb er of steps.

The number of random numb ers is given as a subsidiary reference. The number of parallel

exp onentiations could compare approximately the amount of proto col execution time. The

value in parenthesis implies the di erence from the most ecient one that is denoted by b old

characters. Note that AMP provides the stronger security against the password le compro-

mise compared to all the others in Table 1.

Constraints. AMP prefers g to be a generator of the large (> l (k )) prime-order sub-

group Z for defeating and avoiding a small subgroup con nement e ectively by con ning

exp onentials into the large prime-order subgroup[30]. A secure prime mo dulus is higly recom-

mended for easy detection of an intentional small subgroup con nement and great eciency

of the proto cols though a safe prime mo dulus is also favorable. Note that the secure prime

is easier to get than the safe prime[24]. A compromise of do es not allow a guessing attack 17 10

A-EKE B-SPEKE SRP 8 GXY SNAPI-X AuthA PAK-X 6 AMP

4 The Number of Each Item Each of Number The 2

steps blocks exp(c) exp(s) exp(p) rng(c) rng(s)

Figure 8. Graphical Representation of Table 1

and a server imp ersonation without additional comromise of & that can b e loaded to memory

from a secure storage like a smart card. As a strong veri er-based proto col, AMP needs

an additional guessing attack complexity for a client imp ersonation even if and & are all

compromised. AMP needs b oth parties to count the other side's on-line failure to detect the

on-line guessing attack. However, this is the shared requirement of all password proto cols.

4.3 Why AMP

Figure 8 rewrites Table 1 graphically so that we can see AMP() has the b est p erformance.

1. AMP is a secure password(-veri er) based proto col on the basis of the ampli ed pass-

word pro of and the ampli ed password le, and its securityisprovable in the random

oracle mo del.

2. AMP is the most ecient proto col among the existing veri er-based proto cols; AMP

provides the b est eciency even with the ampli ed password le.

3. AMP has the light constraints and is easy to generalize, e.g., in elliptic curve groups for

further eciency.

4. AMP has several variants for various functional considerations.

5. AMP truly allows the Die-Hellman based key agreement.

6. AMP has a simple structure so that it is easy to understand and implement the proto col.

7. AMP is favorable to upgrading the existing system; AMP accommo dates any kinds of

salt schemes without notable degrade of p erformance. 18

5 Conclusion

In this pap er, we intro duced a new proto col, AMP, for password authentication and key

agreement, by following the various notable predecessors. AMP has been designed on the

basis of the ampli ed password pro of and the ampli ed password le ideas. The adavan-

tages are well summarzied in section 4.3. We are considering several applications such as

A-Up dates (A-Telnet, A-FTP, A-RADIUS, A-CHAP, and etc.), A-Web Login, AA-Gate, and

Networked Smart Card. Internet business and commercial services are growing rapidly while

p ersonal privacy and security concerns are slower than those activities. Authentication is

undoubtedly very imp ortant. Though the hardware-dep endent authentication metho ds are

growing steadily, the pure password authentication scheme is still reasonable in a distributed

environment, and the public-key based cryptographic proto col is the best solution for im-

proving its security. We should note that the only password authentication metho d can truly

authenticate the human mind over the network. For example, a private-key is not memorable

for human users even in the public key infrastructure so that we need a hardware storage.

Wemightkeep using passwords over the Internet and in mobile environments even with the

hardware-supp orted authentication schemes such as smart card or biometric metho d. Ap-

p endices include the pro of story and the geneology of password proto cols.

Acknowledgment The author thanks Doug Tygar, David Wagner, David Jablon, Radia

Perlman and Li Gong for their helpful comments and kind suggestions on this work.

References

[1] R.Anderson and T.Lomas, \Fortifying key negotiation schemes with p o orly chosen pass-

words," Electronics Letters, vol.30, no.13, pp.1040-1041, 1994

[2] R.Anderson and S.Vaudenay, \Minding your p's and q 's," Asiacrypt'96, LNCS, 1996

[3] M.Bellare and P.Rogaway, \Entity authentication and key distribution," Crypto 93,

LNCS 773, 1993

[4] M.Bellare, R.Canetti, and H.Krawczyk, \A mo dular approach to the design and analysis

of authentication and key exchange proto cols," STOC 98, pp.419-428, 1998

[5] M. Bellare, D. Pointcheval and P. Rogaway, \Authenticated key exchange secure against

dictionary attack," Euro crypt 2000

[6] M.Bellare and P.Rogaway, \The AuthA proto col for password-based authen-

ticated key exchange," available from http://grouper.ieee.org/gro ups/1 36 3/ Study

Group/submissions.html#autha 19

[7] S.Bellovin and M.Merritt, \Encrypted key exchange : password-based proto cols secure

against dictionary attacks," Pro c. IEEE Comp. So ciety Symp. on Research in Security

and Privacy, pp. 72-84, 1992

[8] S.Bellovin and M.Merritt, \Augmented encrypted key exchange: apassword-based pro-

to col secure against dictionary attacks and password- le compromise," Pro ceedings of

the 1st ACM Conference on Computer and Communications Security, pp. 244-250, 1993

[9] M.Boyarsky, \Public-key cryptography and password proto cols: the multi-user case,"

ACM Conference on Computer and Communication Security, 1999

[10] V. Boyko, P. MacKenzie and S. Patel, \Provably secure password authenticated key

exchange using Die-Hellman," Euro crypt 2000

[11] D.Denning, G.Sacco, \Timestamps in key distribution proto cols," Commun. ACM,

vol.24, no.8, pp.533-536, 1981

[12] W.Die and M.Hellman, \New directions in cryptography," IEEE Transactions on In-

formation Theory,vol.22, no.6, pp.644-654, Nov. 1976

[13] Y.Ding and P.Hoster, \Undetectable on-line password guessing attacks," ACM Op erat-

ing Sys. Review, vol.29, no.4, pp.77-86, Oct. 1995

[14] T.Elgamal, \A public-key cryptosystem and a signature scheme based on discrete loga-

rithms," IEEE Trans. Information Theory,vol.IT-31, no.4, pp.469-472, 1985

[15] L.Gong, M.Lomas, R.Needham, and J.Saltzer, \Protecting p o orly chosen secrets from

guessing attacks," IEEE Journal on SAC., vol.11, no.5, pp.648-656, June 1993

[16] L.Gong, \Optimal authentication proto cols resistant to password guessing attacks,"

IEEE Comp. SecurityFoundation Workshop,, pp. 24-29 June 1995

[17] S.Halevi and H.Krawczyk, \Public-key cryptography and password proto cols," The 5th

ACM Conference on Computer and Communications Security,1998

[18] D.Jablon, 'Strong password-only authenticated key exchange', ACM Comp. Comm. Re-

view, vol.26, no.5, pp.5-26, 1996

[19] D.Jablon, \Extended password key exchange proto cols," WETICE Workshop on Enter-

prise Security, 1997

[20] D.Jablon, Personal Communication, May2000

[21] T.Kwon and J.Song, \Ecient key exchange and authentication proto cols protecting

weak secrets," IEICE Transactions on Fundamentals of Electronics, Communications

and Computer Sciences, vol.E81-A, no.1, pp.156-163, January 1998 20

[22] T.Kwon and J.Song, \Secure agreement scheme for g via password authentication,"

Electronics Letters, vol.35, no.11, pp.892-893, 27th May 1999

[23] T.Kwon, \Ultimate solution to authentication via memorable password," Contribu-

tion to the IEEE P1363 study group for Future PKC Standards, available from

http://grouper.ieee.org/groups/ 13 63 /Stud yGroup /Pass wd.h tml #am p

[24] C.Lim and P.Lee, \A key recovery attack on discrete log-based schemes using a prime

order subgroup," Crypto 97, pp.249-263, 1997

[25] M.Lomas, L.Gong, J.Saltzer, and R.Needham, \Reducing risks from p o orly chosen keys,"

ACM Symp osium on Op erating System Principles, 1989, pp.14-18

[26] S.Lucks, \Op en key exchange: how to defeat dictionary attacks without encrypting

public keys," The Security Proto col Workshop '97, April 7-9, 1997

[27] P.MacKenzie amd R.Swaminathan, \Secure network authentication with password iden-

ti cation," Presented to IEEE P1363a, August 1999

[28] A.Menezes, P.van Oorschot, S.Vanstone, Handbook of applied cryptography, CRC

Press,Inc., 1997

[29] K.Nyb erg and R.A.Ruepp el, \Message recovery for signature scheme based on the dis-

crete logarithm problem," Euro crypt 94, pp. 182-193, 1994

[30] P.van Oorschot and M.Wiener, \On Die-Hellman key agreement with short exp onents,"

EUROCRYPT 96, pp. 332-343, 1996

[31] S.Patel, \Numb er theoretic attacks on secure password schemes," IEEE Symp osium on

Security and Privacy,1997

[32] S.Pohlig and M.Hellman, \An improved algorithm for computing logarithms over GF (p)

and its cryptographic signi cance," IEEE Transactions on Information Theory, vol.24,

no.1, pp.106-110, 1978

[33] J.Pollard, \Monte carlo metho ds for index computation mo d p," Mathematics of Com-

putation, vol.32, pp.918-924, 1978

[34] M.Ro e, B.Christianson, D.Wheeler, \Secure sessions from weak secrets," Technical re-

p ort from UniversityofCambridge and University of Hertfordshire, 1998

[35] C.P.Schnorr, \Ecient identi cation and signatures for smart cards," Crypto 89, LNCS,

pp.239-251, 1989

[36] M.Steiner, G.Tsudik, and M.Waidner, \Re nement and extension of encrypted key ex-

change," ACM Op erating Sys. Review, vol.29, no.3, 1995, pp.22-30 21

[37] G.Tsudik, E.van Herreweghen, \Some remarks on protecting weak keys and p o orly-

chosen secrets from guessing attacks," Pro c. 6th IEEE Comp. SecurityFoundation Work-

shop, 1993, pp.136-142

[38] V.Voydo c and S.Kent, \Securitymechanisms in high-level network proto cols," Comput-

ing Surveys, vol.15, no.2, June 1983, pp.135-171

[39] T.Wu, \Secure remote password proto col," Internet So ciety Symp osium on Network and

Distributed System Security,1998

A AMP Pro of Story

A.1 A Communication Mo del

We assume all communication among interacting parties is under the adversary's control[3 ].

The Protocol. The proto col can b e formally sp eci ed by an eciently computable function

fortwoplayers; set I 2fA; B g for Al ice and Bob. Eve is not included in the players[3].

De nition 8 Our protocol is a set of function (1 ;;;r)=(m; ;) for I .

1 is the security parameter, k 2 N . 2 f0; 1g is the secret information of the sender.

2 f0; 1g is the conversation so far. r 2 f0; 1g is the random coin ips of the sender.

m 2 f0; 1g [fg is the next message for a reply. 2 fAccept; R ej ect; g is the decision.

2 f0; 1g [ fg is the agreed session key. For example, indicate Al ice computes on

Bob's message and gives out an output in session s. Each party is formally mo deled by an

where i and j 2N indicate the instances. Thus Eve and in nite collection of oracles;

, and attempts to obtain desired information. can call the oracles, and

The Long-lived Weak-key Generator. A long-lived weak-key(LW-key) generator is

! (k ) 1

W (1 ;;r ) where 2 I [fE g and r 2 f0; 1; g . Note that the LW-key may have a

G G

length of k but its entropy is totally di erent When we assume the strong-key length is only

k , i.e., our security parameter, the parameter ! (k ) means the low entropy of the LW-key.

! (k ) k

Brute-forcing 2 values is feasible whereas k is large enough against brute-forcing 2 val-

! (k ) k

ues (hence 2 << 2 ). The p oint of the LW-key is that the adversary is denied by the

! (k )

generator as like the long-lived key case[3 ] but it is acceptable in the probabilityof 2 .

! (k ) ! (k ) ! (k )

Our mo del agrees on W (1 ;A;r )= , W (1 ;B;r )= , and W (1 ;E;r )=.

G G G

The Adversary. The adversary Eve is represented as a probabilistic machine E (1 ; ;r )

E E

k s

for i 2 I and s 2N[3 ]. Let Pr[] 2 be a equipp ed with an in nite collection of oracles

Actually the LW-key, i.e., the password, is chosen bya human-user through a restricted input device. 22

negligible probability for our security parameter k . Eve is allowed to do everything she wants

except for solving the discrete logarithm problem as well as the Die-Hellman problem, and

nding out a hidden-value in a negligible probability. Therefore, we can say; fPr[Discrete-

E E E E

Log (k )],Pr[Die -Hellman (k )]g< 2 where Discrete-Log (k ) and Die-Hellman (k ) are

suchevents. When the adversary is deterministic and restricts its action to faithfully convey-

ing each ow among oracles, i.e., matching conversations, she is called a b enign adversary[3 ].

s t

Let No-Matching (k ) be the event that is accepted and there is no oracle which en-

i j

gaged in a matching conversation. Eve communicates with the oracles via queries of the

form Q(i; s; n); Eve sends message n to the oracle of i. There are some sp ecial queries for

! (k )

adversary suchas Q(i; s; g uess) for searching at most 2 space with the LW-key generator,

and Q(i; s; compr omise) for compromising a veri er. Note that a compromise query converts

s to a compromised session for handling a password le compromise[8]. Also note that the

number of failures of the query Q(i; s; g uess) asked to fresh oracles is counted globally. We

de ne that counter C for i 2 I . If has accepted, Eve is able to send other sp ecial queries;

Q(i; s; reveal) for compromising a session key, Q(i; s; cor r upt) for compromising a password

and Q(i; s; test) for measuring adversarial success. Note that a corrupt query converts s to a

corrupted session for handling p erfect forward secrecy[18 ], while a reveal query converts s to

arevealed session for handling a known-key attack (Denning-Sacco attack)[11 ].

The Sessions. Dep ending on the abilityofthe adversary, we can classify considerable ses-

sions as follows. There must be FreshSession and UnfreshSession. They can be converted to

SucceededSession or FailedSession. SucceededSession can b e devided into MatchedSession and

No-matchedSession. Each session could allow the adversary to have some valid information

before running or examining those sessions. FreshSession can be devided into PureFreshSes-

sion in which valid information is never provided, and CompromisedButFreshSession where

the veri er is provided. UnfreshSession can be devided into RevealedSession that provides

(x+e)y

g or K , and and CorruptedSession provides . CompromisedUnfreshSession is negligible

b ecause o -line guessing attacks on is inevitable in every proto col. The adversary is allowed

to use all of these session for achieving her goals.

Running The Protocol. Running a proto col (with the LW-key generator W ) in the

presence of Eve and k , means p erforming the following exp erimentinagiven session: Cho ose

1 k k

a string r 2 f0; 1g and = W (1 ;i;r ), for i 2 I ,andset = W (1 ;E;r ). Cho ose a

G R i G E G

s 1 1 s

string r 2 f0; 1g for i 2 I and s 2N, and a string r 2 f0; 1g . Let = for all i 2 I

R E R

i i

and s 2N. Run the adversary, E (1 ; ;r ), answering oracle calls as follows. When E asks

E E

s k s s

a query, Q(i; s; n), oracle answers with (m; )by computing (m; ;)= (1 ;; :n; r ),

i i i

s s s

and sets = :n. The adversary cho oses an oracle and asks as she wants.

i i i

Security Definition. The following de nition is derived from work of Bellare and Rogaway[3 ], 23

and the following work of Stefan Lucks[26 ].

De nition 9 Protocol is a secure authenticated key exchange with a LW-key

generator W () if the fol lowing statements are true:

1. If two oracles have matching conversations, then b oth oracles accept and agree on the

identical key.

2. If it is the case that the oracles accept and agree on the same key, then the probability

of no-matching is negligible.

3. If Eve is b enign, her probability of success is negligible.

! (k )

4. If Eve has b een rejected R times, the p ossible set of decreases linearly,2 R .

! (k )

5. If Eve has b een rejected R (< 2 1) times but nally remains b enign, her probability

of success is still negligible.

A.2 Security Examination

Note that we abbreviate & for convenience in this section. We show the security of our

proto col by inducing that the probability of success for adversary is negligible. Our most

E E

favorite to ols are, of course, Discrete-Log (k ) and Die-Hellman (k ).

Lemma 1 The probability of success is negligible for forging G or G in FreshSession of AMP.

1 2

Pro of Sketch: The adversary Eve is allowed to ask Q(i; s; G )orQ(i; s; G )forFreshSession.

1 2

1. Let Eve cho ose x 2 Z and ask Q(B; s; g ) in PureFreshSession. Then resp onds

R q B

0 1

0 0

(x+ ) (x+e)

(x+ )y y (x+e)

with G = g . Eve could nd = g by computing G and

2 2

0 0

! (k )

asking Q(B ; s; g uess) with 2 f0; 1g . However, she cannot verify = , i.e.,

0 0

y (x+e) (x+e)y

ahead of H . The probabilityof successful g = g , without submitting H

! (k )

submission is 2 . C must count up the number of failures so that her attack can

! (k )=2

b e detected easily in only R trials where R is very small such that R<<2 .

2. Let Eve cho ose x 2 Z and ask Q(B; s; ) in CompromisedButFreshSession. Note

R q

that guessing attacks on is not a concern in CompromisedButFreshSession. Then

(x+1)

(x+1)y y

resp onds with G = g . Eve could nd g simply by G . However, as

(x+e)y

long as she is not given , she cannot comp ose g without nding y . Finding y is

b ounded by Pr[Discrete-Log (k )] so that it is negligible.

3. Let Eve cho ose c 2 Z and ask Q(A; s; g ) where she is given G in PureFreshSession.

R q 1

0 1

(x+ ) (x+e)

Then resp onds with H by getting = (G ) . We can rewrite c =

A 1

0 0 0 0 0 0

(x + )y mo d q where and y are variables. Eve must nd y such that y

0 0 0 0

1 e y

c(x + ) (mod q ) for getting =(G g ) and verifying = . For the computation

1 24

of y , it is necessary to know x of G . However, getting x from G is b ounded by

1 1

Pr[Discrete-Log (k )] so that it is negligible.

0 0

! (k )

4. Let Eve cho ose y 2 Z and 2 f0; 1g , and ask Q(A; s; G ) where she is given

R q R

0 0

=(G g ) . Then resp onds with H by computing G in PureFreshSession and G

1 A 1 1

0 1 0 1 0

(x+ ) (x+e) (x+ )y (x+ ) (x+e) y (x+e)

=(G ) , but note that =(g ) , i.e., = g rather

0 0

y (x+e) 0 1

than g where y (x + )y (x + ) (mod q ). Finding y or is the only way for

Eve to b e accepted by the oracle.

>l (k )

(a) x chosen by , x 2 f0; 1g , is not given to Eve. We can say that = if

A R

and only if y y (mod q ). It corresp onds to the on-line attack. (i) Let Eve attempt to

0 0

verify = . However, is rather a constant b ecause she de ned it b efore receiving

H from . Eve cannot replace for further veri cation without retrying it on line.

1 A

! (k )

The probability of = is 2 ; an extremely low probability for on-line success.

Due to the maximum count of on-line failure, C = R ,shemust b e denied by the oracle

! (k )

b efore trying 2 R more guesses. The probabilityof 6= is very high suchthat

0 0

Pr[] 1 . Therefore, we can say hereafter is a constant such that 6=

! (k )

2 R

in this case. (ii) Let Eve attempt to nd y but she has to know x for attempting the

0 1

equation, y (x + )y (x + ) (mod q ). Finding x from G is b ounded by Pr[Discrete-

y 0

e y (x+e)

, it is Log (k )] so that it is negligible. Even if Eve computes = (G g ) = g

0 0 0

clear that 6= when 6= . Thus, the probability of nding y is Pr[] < 2 .

00 00 00 00 0 00

! (k ) y (x+e+ )y y

(b) Let Eve guess 2 f0; 1g and compute = G g = g for

00 0 00

! (k )

verifying = in 2 probability, rather than attempt to replace with , where

00 0 00 00 00

e y

G =(G g g ) . If = with guessed , she can b e convinced = . Thus, if the

0 0 00

equation, (x + )y (x + ) (x + e) (x + e)y + y y (mod q ) is true, then she can

! (k )

nd in 2 probability, regardless of x and . Otherwise, she has to nd x rst. We

0 0 00

1 1 1

can rewrite it as, (x + ) 6 y (x + ) (6 x+ 6 e) (6 x+ 6 e) 6 y (1 + x x )( mo d q ).

0 0 00

1 1 1 1

That is, (x + )(x + ) (1 + x x )( mo d q ). We can transp ose (x + ) so

0 0 00 0 00 00

1 1 0 1 1

that, (x + ) (x + )+(x + ) x (x + ) x x + + + x x

0 00 0 00 0

(x + )+( )+( )x (mo d q ). Then, we can transp ose (x + )

00 0 00

so that; 0 ( )+( )x (mo d q ). Therefore, the equality such that,

0 00 00 0 00

= = (due to = and = ), is the mandatory requiremet of this mo dular

equation. However, the probability of success is negligible b ecause 6= with very

high probabilityaswementioned ab ove in (a). Therefore, Eve must nd x for getting

. The probabilityofverifying = is Pr[] < 2 .

After all, the probability of success is negligible for forged queries in FreshSession.

Theorem 2 AMP is a secure authenticated key exchange protocol with W ().

Pro of Sketch: We deal with each condition of De nition 9.

1. A completeness of the proto col in MatchedSession is already shown in Figure 1. 25

2. The nal acceptance means b oth H and H are successfully veri ed. Therefore, we

1 2

have to scrutinize whether it is p ossible in No-matchedSession. If it is not true, wemay

have Pr[NoMatching (k )] 2 .

(a) The birthday paradox is negligible due to the nature of the random oracle, h () :

l (k )

l (k ) k

f0; 1g !f0; 1g ; the probabilityis2 2 .

(b) Due to item (a), the correct value K (= K = K ) is mandatory for the acceptance

1 2

even in sf No-matchedSession. For nding K , Eve must obtain or due to the

(x+e)y

one-way prop erty of random oracles. i) The probabilityof guessing g (= = )

k log G

in PureFreshSession is Pr[] < 2 . ii) Rewrite and where G = g and G =

1 2

1 1 1

(log G + ) log G (log G + ) (log G +e) e (log G + ) log G

1 2 1 1 1 2

(G ) , i.e., = (G ) = (G g ) = .

1 2 1

For G there is nothing ahead, but for G we need G . Note that (G ; G ) ! e. Thus, we

1 2 1 1 2

can nd easily the ows, (G !G ! e ! ) and (G !G ! e ! ). Without such

1 2 1 2

l (k )

ows, the exp onents of G and G must b e analyzed but the probabilityis Pr[] 2

1 2

even with a forged attempt byLemma1.

After all, wehave Pr[No Matching (k )] 2 so that it is infeasible in No-matchedSession.

3. When Eve is b enign, all she receives from the oracle are fid; ; G ; G ; H ; H g for

1 2 1 2

every session where their internal values, x and y , are indep endent random values

>l (k ) x y

from f0; 1g . Therefore, g , g , and their comp osition on the cyclic group must b e

well distributed on the group. We assume the uniform distribution. Since W (E ) =

0 0

y y

by guessing in G and G , is less than and G =(G g ) , the probability of nding g

1 2 2 1

(! (k )+l (k ))

2 . For verifying the guess of , Eve must nd or for asking the random

(x+e)y x (x+ )y

oracle. However, nding g over g and g without must be b ounded by

Pr[Die-Hellman (k )] so that it is negligible. Therefore, the probability of success for

b enign Eve is Pr[] < 2 .

4. Since G and G remain on the cyclic group under uniform distribution, there is no way

1 2

to nd the relationship b etween the rejected guesses and the remaining guesses. Other

p ossibilities are all negligible by Lemma 1. If Eve is rejected, she must reduce the set

! (k )

byone,2 1, and try again with another guess. That is, the set is reduced linearly.

Therefore, the success probability of her on-line guess is only Pr[] for very

! (k )

2 Rc

small c( 0). She must b e denied by the oracle only in R trials by Lemma 1.

! (k )

5. Assume all C s are set o and Eve has been rejected with di erent guesses 2 2

times by the oracle, then she could have b ernoulli trial on two remaining guesses; if

one is rejected then the other is the one and vice versa. However, assume Eve do es not

participate in FreshSession any more but she only b e b enign in FreshSession. Then, she

is only able to analyze all rejected messages and new eavesdropp ed messages equipp ed

with b ernoulli trial on guess. For actual participation, the probability was less than

k (l (k )+1) k

2 by Lemma 1. For her analysis, the probabilityis2 (< 2 )by item 3 of this

pro of. Hence, the probability of success for partially b enign Eve is negligible. That 26

means if Eve attempts o -line analysis even with a small dictionary, she do es not have

anyadvantage without knowing x or y for each message.

AMP is a secure authenticated key exchange proto col with a LW-key generator W ().

Lemma 2 The adversary does not bene t from RevealedSession or CorruptedSession for achiev-

ing each goal.

Pro of Sketch: Eve attempts to nd or in RevealedSession while she attempts to nd K

or (= )inCorruptedSession. If Eve b ene ts from each session, the given information must

make non-negligible probability of success or makesomeadvantage for the query Q(i; s; test).

1. Let Eve ask Q(i; s; r ev eal ). Then she is given K and (= ) in RevealedSession.

Due to the one-way prop erty of random oracles, we assume (= ) is given. Since

(= ) is not re-usable due to x and y , she cannot attempt to be granted on-line.

For tracking to or , she must b e also in MatchedSession. Then we say she is given

x (x+ )y (x+e)y

fid;;e;g ;g ;g ; H ; H g with matching-conversations. For verifying and

1 2

0 0

(x+ )y

, she should make g on the given information but she cannot make it without

y (x+e)y y (x+ )

nding y . Otherwise, she has to nd x for nding g from g and making g .

Both are still b ounded by Pr[Discrete-Log (k )]. It is not dicult to understand Re-

vealedSession is not advantageous to Eve.

2. Let Eve ask Q(i; s; cor r upt). Then she is given and in CorruptedSession. Duetothe

one-way prop erty of random oracles, we assume is given. For tracking to K or (= ),

x (x+ )y

she must b e also in MatchedSession. Then she is also given fid;;;e;g ;g ; H ; H g

1 2

(x+e)y $y

with matching-conversations. For making g , she should remove $ from g and

nd y where $ = x + . Finding $ includes x so that b oth ndings must b e b ounded

by Pr[Discrete-Log (k )]. Even if we assume $ is removed, the problem is still b ounded

by Pr[Die-Hellman (k )]. It is not dicult to understand CorruptedSession is not ad-

vantageous to Eve. 27 B Genealogy of Password Protocol

1989 LGSN [25]

1992 EKE [7] DH-EKE [7]

1993 TH [37] GLNS [15] A-EKE[8]

1994 AL [1]

1995 Gong [16] M-EKE [36]

1996 SPEKE [18]

1997 OKE [26] A-SPEKE [19] B-SPEKE [19] 1998 HK [17] S3P [34] KS [21] KS-II [21] SRP [39] SNAPI [27] 1999 Boyarsky [9] GXY [22] SNAPI-X[27] 2000 PAK [10] AuthA [6] AMP [23] PAK-X[10]

Figure 9. Password Authentication Protocols 3

3 The above genealogy is typically based on the opinion of the author. We analyzed all the protocols carefully and arranged them in the figure by considering their similarity or improvement. However, each author of the protocols could have different opinions. At this moment, we would like to make it clear

that the above genealogy is only one of good references. 28